Prezi

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in the manual

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

OWASP Passfault: Better Password Policies

Presentation for OWASP Snow FROC Conference 2012: Introduction to Passfault, a new OWASP tool for Password Policies
by Cam Morris on 3 February 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of OWASP Passfault: Better Password Policies

OWASP
Passfault

Why?
How?
Passwords Can Be Better
Policies don't measure password strength
They test for compliance
with good advice
You can follow the advice,
and still make weak passwords
#1Eagles
Special Chars
Number
Upper and Lower
Eight Characters
But still weak
Are passwords policies in your organization effective?
"No"
qwerQWER1234!@#$
Long! Looks strong
Passes any policy
But very guessable
*Why do companies create yearly training
for passwords if their password policies
are working?
How do you measure password strength?
Identify Patterns
English Word
Spanish Word
Dates
Slang Words
City Names
Misspelled Word
Word with Special
Character Substitution
Word with Special
Character Inserted
Backwards Word
Horizontal Keyboard Sequence
Diagonal Keyboard Sequence
Repeated Charaters
Random Latin Characters
Random Cyrillic Characters
How many passwords fit in the Pattern
More Accurate
More Meaningful
Like a needle in a hay stack.
How big is the hay stack*
*Gibson Research Center, "Password Haystacks"
Estimate Time to Crack
Represents current hardware
Communicates the risk
Enables self-training
Tie Policy to Strength
Simpler configuration
Better manage risk
1
2
4
5
Set the policy to an acceptable level of risk
Accurate
Identifies more weak passwords, yet allows strong passwords that don't pass traditional policies
Provides detailed analysis of the password so users quickly learn how to create strong passwords without training
Informative
Simple
Communicates the risk of poor passwords with the "time to crack"
Powerful
Empowers administrators to know and control the strength of passwords for the organization
Results
Leet Speak
Speaker: Cam Morris
Creator and Project Lead
Software Security Specialist


10+ years development+security
cam.morris@owasp.org
Why Not Use Password
Strength?
Password Policies Stink!
Of People and Passwords:
"successfully creating a password is signficantly more difficult under stricter password policies"
Password length was the only significant predictor of password strength
Examples
- Komanduri et. al., Carnegie Mellon & NIST
In the password
Measure Pattern Size
Find Weakest Combination
Combined size of the patterns is the measurement of strength.

Worst Case Scenario:
Hacker knows what
patterns you used.
3
Next
Web Projects
Improvements
Linux
C
JSON
Service
Applet
Real-time
analysis
More
Meaningful
Dictionaries
More Patterns
Java Library
Beta
Stable
3500 lines of Code
3000 lines of Unit Tests
Alpha
Returns JSON
Password never leaves the Browser
Alpha
Easy Platform Independence
Servlet
Google App Engine
JQuery
Plugin
Future
Derived from the Demo Page
Use Applet or JSON service
Possible Projects
C++
JavaScript
Windows
.NET
JavaScript
with GWT
https://passfault.appspot.com
Current Password Advice
is not wrong...
but it's not exactly right
it encourages one type of pattern
Length is King
12 random characters
4 random words
2 misspelled words
Obscurity Vs. Security
Password Pattern Size
Favors secure patterns
Not obscure patterns.
Backwards Word = Word
See the full transcript